[
https://issues.apache.org/jira/browse/MNG-7776?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Herve Boutemy updated MNG-7776:
-------------------------------
Description:
Maven repository format requires .md5 and .sha1 fingerprints/checksums for
every artifact: https://maven.apache.org/repository/layout.html
.GPG signature (.asc) is not considered as an artifact, and it does not require
these fingerprints
While working on Sigstore support in addition to GPG, the same should be done
for Sigstore signatures: no fingerprint for .sigstore files (like no GPG
signature for Sigstore signature: see MGPG-86)
was:
Maven repository format requires .md5 and .sha1 fingerprints/checksums for
every artifact: https://maven.apache.org/repository/layout.html
.GPG signature (.asc) is not considered as an artifact, and it does not require
these fingerprints
While working on Sigstore support in addition to GPG, the same should be done
for Sigstore signatures: no fingerprint for .sigstore files (like no GPG
signature for Sigstore signature: see GPG-86)
> don't fingerprint Sigstore signatures (like GPG)
> ------------------------------------------------
>
> Key: MNG-7776
> URL: https://issues.apache.org/jira/browse/MNG-7776
> Project: Maven
> Issue Type: Improvement
> Affects Versions: 3.9.1, 4.0.0-alpha-5
> Reporter: Herve Boutemy
> Assignee: Herve Boutemy
> Priority: Major
>
> Maven repository format requires .md5 and .sha1 fingerprints/checksums for
> every artifact: https://maven.apache.org/repository/layout.html
> .GPG signature (.asc) is not considered as an artifact, and it does not
> require these fingerprints
> While working on Sigstore support in addition to GPG, the same should be done
> for Sigstore signatures: no fingerprint for .sigstore files (like no GPG
> signature for Sigstore signature: see MGPG-86)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
